[clue-tech] sticky bits
Matt Durell
Matt.Durell at Durell.Net
Sat May 20 19:35:38 MDT 2000
The 's' in rws means that, when the program is executed, it will run as the
owner, in this case root.
This is useful for things like passwd. Only root can modify the password
file! In order for a regular user to do so you SUID the file and now that
trusted program can access files as root.
Just like the 777 directory perms, the initial digit in the series-of-4 sets
the SUID, SGID, or the sticky bit on a file (it does other things to a
directory but they vary between Unices). 4777 = rwsrwxrwx, 2777 =
rwxrwsrwx, 1777 - rwxrwxrwt. You add those together for what you want, for
example 6775 = rwsrwsr-x, 7777 = rwsrwsrwt.
For those that do not know, the sticky bit (1xxx) keeps the executable in
memory. Back in the old days it was quite handy to keep /bin/sh in memory
to keep it from accessing the disk. This isn't really a big deal these
days.
Now, of course, you think that SUID stuff is a security risk, and you're
partially right. They aren't a risk in and of themselves but someone with
root access could exploit this necessary feature by doing something like
this:
# cp /bin/sh /tmp/.rootsh
# chmod 4755 /tmp/.rootsh
# chown 0:0 /tmp/.rootsh
Now any old user can execute /tmp/.rootsh and have a root shell. This
exploit was used by the guys that cracked www.apache.org and placed the
"Powered by BackOffice" banner on the page. Of course, they went through
hell finding the hole (they only wanted to use configuration errors and no
lame buffer overflow stuff).
Hope this helps. There may be some things that ssh can't do unless its
SUID. Read the docs to find out what you are trading for the extra
security.
-----Original Message-----
From: clue-tech-admin at ta8.techangle.com
[mailto:clue-tech-admin at ta8.techangle.com]On Behalf Of Jeffery Cann
Sent: Saturday, May 20, 2000 6:01 PM
To: clue-tech at clue.denver.co.us; clue-tech at ta8.techangle.com
Subject: [clue-tech] sticky bits
Greetings.
I installed open SSH (1.2.3) this week and have worked out the kinks in
using sshd and ssh. I noticed that /usr/bin/ssh has the following file
attributes (4755):
-rwsr-xr-x 1 root root 217972 May 20 17:35 ssh*
Can someone explain why ssh hangs (a non-root user) as 4755 but not
0755? I have tried it both ways, and only the 0755 seems to work (i.e.,
prompt for password on remote machine and login if successful).
BTW - I am running like: $ ssh my.remote.server -l my_user_name (as
non-root user).
Thanks
Jeff
--
Fight UCITA in Colorado!
http://mridanga.com
_______________________________________________
CLUE-Tech mailing list
CLUE-Tech at clue.techangle.com
http://clue.techangle.com/mailman/listinfo/clue-tech
More information about the clue-tech
mailing list